Jump to content
Sadikhov IT Certification forums
Sign in to follow this  
gerg

traceroute tutorial / examples

Recommended Posts

i would like to have a tutorial on traceroute

 

sometimes these things don't make sense, a hop you know is there is not displayed, sometmies you get stars/asterisk is this always a firewall? sometimes destination address is seen 5 times at the end instead of 1 time

 

any good links on this/tutorials?

Share this post


Link to post
Share on other sites

i would like to have a tutorial on traceroute

 

sometimes these things don't make sense, a hop you know is there is not displayed, sometmies you get stars/asterisk is this always a firewall? sometimes destination address is seen 5 times at the end instead of 1 time

 

any good links on this/tutorials?

 

Hi there,

 

I don't think there is a tutorial on this, I haven't seen one anyway,

but when you get stars, it means a HOP that is there does not send ICMP Unreachables...

It could be firewall, could be router configured with no icmp unreachables...

could be access-list on a router blocking that traffic.

 

and Destination address seen 5 times???? :)))))) as soon as packet reaches destination traceroute has done it's job!!! This just can't happen.

 

Regards,

Share this post


Link to post
Share on other sites

Hi there,

 

I don't think there is a tutorial on this, I haven't seen one anyway,

but when you get stars, it means a HOP that is there does not send ICMP Unreachables...

It could be firewall, could be router configured with no icmp unreachables...

could be access-list on a router blocking that traffic.

 

and Destination address seen 5 times???? :)))))) as soon as packet reaches destination traceroute has done it's job!!! This just can't happen.

 

Regards,

 

okay thanks for the info!

 

sorry i have to disappoint you, i just checked my email with the traceroute, hop 1-5 are different hops to the destination, then hop 6-11 are all the same destination address

Share this post


Link to post
Share on other sites

some more madness same address couple times in a row, copied from this link:

 

http://www.exit109.com/~jeremy/news/providers/traceroute.html

 

Here is another example of routing weirdness:

 

 

11 USW-phx-gw.customer.ALTER.NET (137.39.162.10) 142.840 ms 151.245 ms 129.564 ms

12 206.80.192.221 (206.80.192.221) 127.569 ms vdsla121.phnx.uswest.net (216.161.182.121) 185.214 ms *

13 vdsla121.phnx.uswest.net (216.161.182.121) 442.912 ms 205.956 ms 221.537 ms

14 vdsla121.phnx.uswest.net (216.161.182.121) 164.728 ms 186.997 ms 190.414 ms

15 vdsla121.phnx.uswest.net (216.161.182.121) 306.964 ms 189.152 ms 221.288 ms

 

All looks well until hop 12. At that hop, the first packet is replied to from 206.80.192.221, but the second and third (which should be coming from the same place) are being returned from a different address, and timing out, respectively. After that, hops 13, 14, and 15 are all showing the same address! Since the response times are actually different, though, we can guess that they are, in reality, different systems. The trace ends normally at hop 15.

 

So what the heck is going on here? US West says this is a security measure, to hide the details of their internal network. The last few hops all return the address of the end-user's ADSL line, rather than their actual address. I'm not entirely sure what kind of “security” this is meant to provide.

 

Obviously, this makes any kind of troubleshooting of this connection next to impossible. If you encounter problems in this situation, the best you can do is contact the network provider and let them deal with it.

Share this post


Link to post
Share on other sites

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml

 

The traceroute Command Inbound Through the PIX

Problem: The PIX Firewall hides all internal networks in the output of inbound traceroutes.

 

Resolution:

 

The PIX does not support the traceroute command. When a traceroute is issued from the outside, the PIX does not display its own interface IP address nor does it display the IP addresses of the inside networks. The destination address is displayed multiple times for each internal hop.

 

Traceroutes work only with static Network Address Translations (NATs) and not with Port Address Translation (PAT) IP addresses. For example, a client on the Internet with the address 209.165.202.130 performs a traceroute to a web server on the inside of the PIX with a public address of 209.165.201.25 and a private address of 10.1.3.25. There are two routers between the PIX and the internal web server. The traceroute output on the client machine appears this way:

 

Target IP address: 209.165.201.25 Source address: 209.165.202.130

 

Tracing the route to 209.165.201.25

1 209.165.202.128 4 msec 3 msec 4 msec

2 209.165.201.25 3 msec 5 msec 0 msec

3 209.165.201.25 4 msec 6 msec 3 msec

4 209.165.201.25 3 msec 2 msec 2 msec In PIX version 6.3 and later, this behavior can be undone if the fixup protocol icmp error command is issued. When this feature is enabled, the PIX creates xlates for intermediate hops that send Internet Control Message Protocol (ICMP) error messages, based on the static NAT configuration. The PIX overwrites the packet with the translated IP addresses.

 

When NAT is enabled in PIX 7.0, the IP addresses of the PIX interfaces and the real IP addresses of the intermediate hops cannot be seen. However, in PIX 7.0, NAT is not essential and can be disabled with the no nat-control command. If the NAT rule is removed, the real IP address can be seen if it is a routeable one.

Share this post


Link to post
Share on other sites

summary:

 

the verdict is in!

 

firewalls like fwsm, asa, pix don't decrement ttl and therefore you don't see them show up in traceroutes (more secure)

 

these firewalls also hide the behind lying hops

 

therefore if you see 5 times a destination address, it means there are 4 intermediate hops after the firewall, and then you reach the destination address

Share this post


Link to post
Share on other sites

What does the syntax mean for extended ping:

 

trace yahoo.com (example) sip 200.1.1.2

 

I couldn't find the syntax for sip?

 

Is sip = source IP?

 

200.1.1.2 is the source and yahoo.com is the target.

 

TIA!

Share this post


Link to post
Share on other sites

What does the syntax mean for extended ping:

 

trace yahoo.com (example) sip 200.1.1.2

 

I couldn't find the syntax for sip?

 

Is sip = source IP?

 

200.1.1.2 is the source and yahoo.com is the target.

 

TIA!

 

yeah i think so

 

it's always trace destination

 

then whatever comes afterwards is optional

Share this post


Link to post
Share on other sites

yeah i think so

 

it's always trace destination

 

then whatever comes afterwards is optional

 

 

Thanks gerg! Is there a Cisco reference for this command parameters?

I could not find anything on cisco site.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×